Hacking Tony

Cyber security tutorials

User Tools

Site Tools

Trace: scan_nmap
scan_nmap

This is an old revision of the document!

How to scan computers/network with Nmap

First of all, we are going to discover some computers in our network (192.168.0.0) 

santi@kalibook:$ nmap -sn 192.168.1.0/24
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:05 CEST
Nmap scan report for 192.168.1.1
Host is up (0.017s latency).
Nmap scan report for 192.168.1.3
Host is up (0.013s latency).
Nmap scan report for 192.168.1.29
Host is up (0.00040s latency).
Nmap scan report for 192.168.1.32
Host is up (0.074s latency).
Nmap scan report for 192.168.1.254
Host is up (0.010s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 9.61 seconds

Imagine that you want to guess which operating system is running in some of the computers you have scanned. In this case we will do with a computer that is running a Windows 7 OS). We know the IP address of this computer because it is a Virtual Machine that it is running in this moment. It does not appears in the list of remote computers because its Firewall is enabled. If we disabled the Firewall and we try again to scan our network, this computer will appear in the list of connected computers.

Now, we are going to scan this computer to try to guess which kind of OS is running and some extra information. First, we will try with the Firewall enabled: 

santi@kalibook:$ sudo nmap -O 192.168.1.40
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:05 CEST
Nmap scan report for 192.168.1.40
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.1.40 are filtered
MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.73 seconds

We can see that we did not obtain any information abut the remote computer. Then, we will disabled the default Firewall and we will try again with the same nmap options: 

santi@kalibook:$ nmap -O 192.168.1.40
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:07 CEST
Nmap scan report for 192.168.1.40
Host is up (0.00016s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5357/tcp  open  wsdapi
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49158/tcp open  unknown
MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows 2008|10|7|8.1
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.30 seconds

Because the firewall was disabled we have obtained a lot of information about the remote computer: open ports, services running, MAC address and some extra information about which version of Windows is running and a aproximation about how updated it is (Service Packs installed on remote computer). Now we can see how importat is to enable our Firewall in our computer. If some attacker does not know nothing about our computer it will be more difficult to receive any kind of attack from anyone. 

santi@kalibook:$ 
santi@kalibook:$ 
santi@kalibook:$
scan_nmap.1505071170.txt.gz · Last modified: 2019/01/04 13:06 (external edit)